Amster

OIDCIDTokenValidator

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/OidcNode

Resource version: 2.0

create

Usage

am> create OIDCIDTokenValidator --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "headerName" : {
      "title" : "ID Token Header Name",
      "description" : "Name of header referencing the ID Token.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "oidcValidationValue" : {
      "title" : "OpenID Connect Validation Value",
      "description" : "Depending on the value of the <code>OpenID Connect Validation Type</code> property, this property holds the full URL to the discovery or JWK location. If <code>OpenID Connect Validation Type</code> is set to <code>Client Secret</code>, AM ignores this property and uses the value of the <code>Client Secret</code>. <p> Example: https://accounts.google.com/.well-known/openid-configuration",
      "propertyOrder" : 200,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration"
    },
    "audienceName" : {
      "title" : "Audience name",
      "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "inputs" : {
      "title" : "Script Inputs",
      "description" : "A list of state inputs that can be used by the script.",
      "propertyOrder" : 900,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "script" : {
      "title" : "Transformation Script",
      "description" : "A script that can transform the ID token's claims into object data.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "secretId" : {
      "title" : "Client Secret Label",
      "description" : "A secret label for mapping the OIDC Client Secret to a secret in the secret store. <br>The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : "clientsecret"
    },
    "idTokenIssuer" : {
      "title" : "Token Issuer",
      "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com"
    },
    "oidcValidationType" : {
      "title" : "OpenID Connect Validation Type",
      "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "unreasonableLifetimeLimit" : {
      "title" : "Unreasonable Lifetime Limit",
      "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.",
      "propertyOrder" : 1000,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorisedParties" : {
      "title" : "Authorized parties",
      "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    }
  },
  "required" : [ "headerName", "oidcValidationValue", "audienceName", "inputs", "script", "idTokenIssuer", "oidcValidationType", "unreasonableLifetimeLimit", "authorisedParties" ]
}

delete

Usage

am> delete OIDCIDTokenValidator --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action OIDCIDTokenValidator --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action OIDCIDTokenValidator --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query OIDCIDTokenValidator --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read OIDCIDTokenValidator --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update OIDCIDTokenValidator --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "headerName" : {
      "title" : "ID Token Header Name",
      "description" : "Name of header referencing the ID Token.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "oidcValidationValue" : {
      "title" : "OpenID Connect Validation Value",
      "description" : "Depending on the value of the <code>OpenID Connect Validation Type</code> property, this property holds the full URL to the discovery or JWK location. If <code>OpenID Connect Validation Type</code> is set to <code>Client Secret</code>, AM ignores this property and uses the value of the <code>Client Secret</code>. <p> Example: https://accounts.google.com/.well-known/openid-configuration",
      "propertyOrder" : 200,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com/.well-known/openid-configuration"
    },
    "audienceName" : {
      "title" : "Audience name",
      "description" : "The audience name for this OpenID Connect node. This will be used to check that the ID token received is intended for this node as an audience.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "inputs" : {
      "title" : "Script Inputs",
      "description" : "A list of state inputs that can be used by the script.",
      "propertyOrder" : 900,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "script" : {
      "title" : "Transformation Script",
      "description" : "A script that can transform the ID token's claims into object data.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "secretId" : {
      "title" : "Client Secret Label",
      "description" : "A secret label for mapping the OIDC Client Secret to a secret in the secret store. <br>The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 300,
      "type" : "string",
      "exampleValue" : "clientsecret"
    },
    "idTokenIssuer" : {
      "title" : "Token Issuer",
      "description" : "Name of the OpenID Connect ID token issuer. Value must match the iss field in issued ID Token e.g. <code>accounts.google.com</code>",
      "propertyOrder" : 500,
      "type" : "string",
      "exampleValue" : "https://accounts.google.com"
    },
    "oidcValidationType" : {
      "title" : "OpenID Connect Validation Type",
      "description" : "In order to validate the ID token from the OpenID Connect provider, the node needs either a URL to get the public keys for the provider, or the symmetric key for an ID token signed with a HMAC-based algorithm. <p> By default, the configuration type is .well-known/openid-configuration_url. This means the node should retrieve the keys based on information in the OpenID Connect Provider Configuration Document. <p>You can instead configure the authentication node to validate the ID token signature with the client secret key you provide, or to validate the ID token with the keys retrieved from the URL to the OpenID Connect provider's JSON web key set.",
      "propertyOrder" : 100,
      "type" : "string",
      "exampleValue" : ""
    },
    "unreasonableLifetimeLimit" : {
      "title" : "Unreasonable Lifetime Limit",
      "description" : "During token validation AM enforces that the token must expire within the specified duration and if the \"iat\" claim value is present, the token must not be older than the specified duration. This value should be in minutes.",
      "propertyOrder" : 1000,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorisedParties" : {
      "title" : "Authorized parties",
      "description" : "A list of case-sensitive accepted authorized parties which can be either string or URI values. This will be checked against the authorized party claim of the ID token.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    }
  },
  "required" : [ "headerName", "oidcValidationValue", "audienceName", "inputs", "script", "idTokenIssuer", "oidcValidationType", "unreasonableLifetimeLimit", "authorisedParties" ]
}